Dynamically defined virtual private network tunnels in hybrid cloud environments

ABSTRACT

A method, apparatus and computer program product manage a plurality of VPN tunnels between a first cloud and a second cloud in a hybrid cloud environment. A method in a first VPN agent manages a first VPN tunnel in a plurality of VPN tunnels between a first cloud and a second cloud in a hybrid cloud environment. The VPN agent receives a request from a VPN manager. The request includes a first set of requirements for the first VPN tunnel in the plurality of VPN tunnels. The VPN agent creates the first VPN tunnel according to the first set of requirements. The VPN agent tunes the first VPN tunnel according to a second set of requirements. The tuning of the first VPN tunnel can include merging the first VPN tunnel with a second VPN tunnel, or splitting the first VPN tunnel into a first and second VPN tunnel.

BACKGROUND OF THE INVENTION Technical Field

This disclosure relates generally to communications in a “cloud”computing environment. More particularly, it relates to dynamicallycreating virtual private network tunnels in a hybrid cloud environment.

Background of the Related Art

An emerging information technology (IT) delivery model is cloudcomputing, by which shared resources, software and information areprovided over the Internet to computers and other devices on-demand.Cloud computing can significantly reduce IT costs and complexities whileimproving workload optimization and service delivery. With thisapproach, an application instance can be hosted and made available fromInternet-based resources that are accessible through a conventional Webbrowser over HTTP. An example application might be one that provides acommon set of messaging functions, such as email, calendaring, contactmanagement, and instant messaging. A user would then access the servicedirectly over the Internet. Using this service, an enterprise wouldplace its email, calendar and/or collaboration infrastructure in thecloud, and an end user would use an appropriate client to access his orher email, or perform a calendar operation.

Cloud computing resources are typically housed in large server farmsthat run network applications, either using a hardware architecture,so-called bare metal cloud hosting, or using a virtualized architecturewherein applications run inside virtual servers, or so-called “virtualmachines” (VMs), that are mapped onto physical servers in a data centerfacility. The virtual machines typically run on top of a hypervisor,which is a control program that allocates physical resources to thevirtual machines.

It is known for an organization to arrange computing resources in ahybrid cloud environment, containing both a private cloud in which thecomputing resources are owned by the organization and provide servicesonly for that organization, and a public cloud in which anotherorganization provides computing services for a plurality of “tenants”including the organization operating the hybrid cloud. One benefit of ahybrid cloud model is having on-premises, private infrastructure that isdirectly accessible, while providing access to the public cloudenvironment in times of high demand. With this integration, however,there is a need for secure communication between the two environments.One way in which communications are established is through a dedicatedvirtual public network (VPN) tunnel.

The disclosure below details ways to improve VPN communication in ahybrid cloud environment.

BRIEF SUMMARY

According to this disclosure, a method, apparatus and computer programproduct for managing a plurality of VPN tunnels between a first cloudand a second cloud in a hybrid cloud environment is described. In afirst aspect of the invention, a method in a first VPN agent manages afirst VPN tunnel in a plurality of VPN tunnels between a first cloud anda second cloud in a hybrid cloud environment. The VPN agent receives arequest from a VPN manager. The request includes a first set ofrequirements for the first VPN tunnel in the plurality of VPN tunnels.The VPN agent creates the first VPN tunnel according to the first set ofrequirements. A modification request is received from the VPN managercontaining a second set of requirements. The VPN agent tunes the firstVPN tunnel according to a second set of requirements.

In another aspect of the invention, an apparatus, including a processorand a computer memory holding computer program instructions executed bythe processor manages the first VPN tunnel. The computer programinstructions include program code which receives a first request from aVPN manager. The request includes a first set of requirements for thefirst VPN tunnel in the plurality of VPN tunnels. The program codecreates the first VPN tunnel according to the first set of requirements.A second request from the VPN manager is received by the program code.The second request includes a second set of requirements for a secondVPN tunnel in the plurality of VPN tunnels. The program code creates thesecond VPN tunnel according to the second set of requirements. A mergerequest to merge the second VPN tunnel into the first VPN tunnel isreceived by the program code. The program code merges the first VPNtunnel and the second VPN tunnel. The program tunes the first VPN tunnelaccording to a second set of requirements.

In another aspect of the invention, a computer program product in anon-transitory computer readable medium when executed by the processormanages a first VPN tunnel of a plurality of VPN tunnels between a firstcloud and a second cloud in a hybrid cloud environment. The computerprogram instructions include program code which receives a first requestfrom a VPN manager, the first request including a first set ofrequirements for a first VPN tunnel in the plurality of VPN tunnels.Program code creates the first VPN tunnel according to the first set ofrequirements. The program code receives a second request from the VPNmanager. The second request includes a second set of requirements for aVPN tunnel in the plurality of VPN tunnels. Program code modifies thefirst VPN tunnel according to the second set of requirements. The firstset of requirements is for traffic from a first cloud application andthe second set of requirements is for traffic from a second cloudapplication and the first VPN tunnel carries traffic from first andsecond cloud applications. The program code receives a split request forthe first VPN tunnel. The program code splits the first VPN tunnel intothe first VPN tunnel and a second VPN tunnel. The VPN agent tunes thefirst VPN tunnel according to the first set of requirements for trafficfor the first cloud application and tunes the second VPN tunnelaccording to a second set of requirements for traffic for the secondcloud application.

The foregoing has outlined some of the more pertinent features of thedisclosed subject matter. These features should be construed to bemerely illustrative. Many other beneficial results can be attained byapplying the disclosed subject matter in a different manner or bymodifying the invention as will be described.

BRIEF DESCRIPTION OF THE DRAWINGS

For a more complete understanding of the present invention and theadvantages thereof, reference is now made to the following descriptionstaken in conjunction with the accompanying drawings, in which:

FIG. 1 depicts an exemplary block diagram of a distributed dataprocessing environment in which exemplary aspects of the illustrativeembodiments may be implemented;

FIG. 2 is an exemplary block diagram of a data processing system inwhich exemplary aspects of the illustrative embodiments may beimplemented;

FIG. 3 illustrates an exemplary cloud computing architecture in whichthe disclosed subject matter may be implemented;

FIG. 4 is a high level flow diagram of a preferred embodiment of theinvention;

FIG. 5 illustrates a hybrid cloud environment in which an embodiment ofthe invention can be implemented;

FIG. 6 illustrates a graphical user interface in which the VPN tunnelsand VPN properties can be displayed to an administrator user;

FIGS. 7A-7C respectively depict changing the properties, merging VPNtunnels and spiltting of a VPN tunnel in response to changes in the userapplication demands;

FIG. 8 is a flow diagram of event and log management in one embodimentof the invention;

FIG. 9 is a flow diagram of the creation and modification of VPN tunnelsaccording to one embodiment on the invention; and

FIG. 10 depicts creating a VPN between cloud environments managed by twodifferent VPN Managers based on a federation model.

DETAILED DESCRIPTION OF AN ILLUSTRATIVE EMBODIMENT

Hybrid cloud environments drive the need for secure communicationbetween applications between different cloud hosting environments. Asthe number of applications and platforms grows, the number ofcommunication paths which need to be secured grows rapidly. Today,customers often install dedicated VPNs to bridge between differentclouds in the hybrid cloud environments, but dedicated VPNs drag along anumber of drawbacks, including limited flexibility and creating a largecommunication hole (by opening up the firewall to allow communication)in environments that need to be secured. For a highly-granularrequirement like event management across a hybrid cloud environment,small logs may be sent from a plethora of devices to a central server,yet traditional VPN options require wide communication channels to beopened between the source devices and the central server far in excessof that which is required to transmit the small amount of data. Thepresent invention provides a means to provide more highly tuned VPNsbased on application requirements and topology requirements for thehybrid cloud environment than prior art solutions.

A “hybrid cloud environment” is a cloud environment which contains botha private cloud in which the computing resources are owned by theorganization and provide services only for that organization, and apublic cloud in which another organization provides computing servicesfor a plurality of “tenants” including the organization.

A “node” can be any electronic device, client, server, peer, service,application, or other object capable of sending, receiving, orforwarding information over communications channels in a network.

A “VPN agent” is an application which manages a VPN tunnel at one of thetwo nodes which are endpoints of the tunnel.

A “VPN manager” is a cloud application which manages an infrastructureof VPN tunnels in the hybrid cloud environment. In preferredembodiments, the VPN Manager also manages an infrastructure of VPNagents which in turn manage respective VPN tunnels.

A “VPN tunnel” is a communications channel between two nodes thattransports data by encapsulating the data's Internet Protocol (IP)packets according to any suitable cryptographic tunneling protocol.

With reference now to the drawings and in particular with reference toFIGS. 1-2, exemplary diagrams of data processing environments areprovided in which illustrative embodiments of the disclosure may beimplemented. It should be appreciated that FIGS. 1-2 are only exemplaryand are not intended to assert or imply any limitation with regard tothe environments in which aspects or embodiments of the disclosedsubject matter may be implemented. Many modifications to the depictedenvironments may be made without departing from the spirit and scope ofthe present invention.

With reference now to the drawings, FIG. 1 depicts a pictorialrepresentation of an exemplary distributed data processing system inwhich aspects of the illustrative embodiments may be implemented.Distributed data processing system 100 may include a network ofcomputers in which aspects of the illustrative embodiments may beimplemented. The distributed data processing system 100 contains atleast one network 102, which is the medium used to provide communicationlinks between various devices and computers connected together withindistributed data processing system 100. The network 102 may includeconnections, such as wire, wireless communication links, or fiber opticcables.

In the depicted example, server 104 and server 106 are connected tonetwork 102 along with storage unit 108. In addition, clients 110, 112,and 114 are also connected to network 102. These clients 110, 112, and114 may be, for example, personal computers, network computers, or thelike. In the depicted example, server 104 provides data, such as bootfiles, operating system images, and applications to the clients 110,112, and 114. Clients 110, 112, and 114 are clients to server 104 in thedepicted example. Distributed data processing system 100 may includeadditional servers, clients, and other devices not shown.

In the depicted example, distributed data processing system 100 is theInternet with network 102 representing a worldwide collection ofnetworks and gateways that use the Transmission ControlProtocol/Internet Protocol (TCP/IP) suite of protocols to communicatewith one another. At the heart of the Internet is a backbone ofhigh-speed data communication lines between major nodes or hostcomputers, consisting of thousands of commercial, governmental,educational and other computer systems that route data and messages. Ofcourse, the distributed data processing system 100 may also beimplemented to include a number of different types of networks, such asfor example, an intranet, a local area network (LAN), a wide areanetwork (WAN), or the like. As stated above, FIG. 1 is intended as anexample, not as an architectural limitation for different embodiments ofthe disclosed subject matter, and therefore, the particular elementsshown in FIG. 1 should not be considered limiting with regard to theenvironments in which the illustrative embodiments of the presentinvention may be implemented.

With reference now to FIG. 2, a block diagram of an exemplary dataprocessing system is shown in which aspects of the illustrativeembodiments may be implemented. Data processing system 200 is an exampleof a computer, such as client 110 in FIG. 1, in which computer usablecode or instructions implementing the processes for illustrativeembodiments of the disclosure may be located.

With reference now to FIG. 2, a block diagram of a data processingsystem is shown in which illustrative embodiments may be implemented.Data processing system 200 is an example of a computer, such as server104 or client 110 in FIG. 1, in which computer-usable program code orinstructions implementing the processes may be located for theillustrative embodiments. In this illustrative example, data processingsystem 200 includes communications fabric 202, which providescommunications between processor unit 204, memory 206, persistentstorage 208, communications unit 210, input/output (I/O) unit 212, anddisplay 214.

Processor unit 204 serves to execute instructions for software that maybe loaded into memory 206. Processor unit 204 may be a set of one ormore processors or may be a multi-processor core, depending on theparticular implementation. Further, processor unit 204 may beimplemented using one or more heterogeneous processor systems in which amain processor is present with secondary processors on a single chip. Asanother illustrative example, processor unit 204 may be a symmetricmulti-processor (SMP) system containing multiple processors of the sametype.

Memory 206 and persistent storage 208 are examples of storage devices. Astorage device is any piece of hardware that is capable of storinginformation either on a temporary basis and/or a permanent basis. Memory206, in these examples, may be, for example, a random access memory orany other suitable volatile or non-volatile storage device. Persistentstorage 208 may take various forms depending on the particularimplementation. For example, persistent storage 208 may contain one ormore components or devices. For example, persistent storage 208 may be ahard drive, a flash memory, a rewritable optical disk, a rewritablemagnetic tape, or some combination of the above. The media used bypersistent storage 208 also may be removable. For example, a removablehard drive may be used for persistent storage 208.

Communications unit 210, in these examples, provides for communicationswith other data processing systems or devices. In these examples,communications unit 210 is a network interface card. Communications unit210 may provide communications through the use of either or bothphysical and wireless communications links.

Input/output unit 212 allows for input and output of data with otherdevices that may be connected to data processing system 200. Forexample, input/output unit 212 may provide a connection for user inputthrough a keyboard and mouse. Further, input/output unit 212 may sendoutput to a printer. Display 214 provides a mechanism to displayinformation to a user.

Instructions for the operating system and applications or programs arelocated on persistent storage 208. These instructions may be loaded intomemory 206 for execution by processor unit 204. The processes of thedifferent embodiments may be performed by processor unit 204 usingcomputer implemented instructions, which may be located in a memory,such as memory 206. These instructions are referred to as program code,computer-usable program code, or computer-readable program code that maybe read and executed by a processor in processor unit 204. The programcode in the different embodiments may be embodied on different physicalor tangible computer-readable media, such as memory 206 or persistentstorage 208.

Program code 216 is located in a functional form on computer-readablemedia 218 that is selectively removable and may be loaded onto ortransferred to data processing system 200 for execution by processorunit 204. Program code 216 and computer-readable media 218 form computerprogram product 220 in these examples. In one example, computer-readablemedia 218 may be in a tangible form, such as, for example, an optical ormagnetic disc that is inserted or placed into a drive or other devicethat is part of persistent storage 208 for transfer onto a storagedevice, such as a hard drive that is part of persistent storage 208. Ina tangible form, computer-readable media 218 also may take the form of apersistent storage, such as a hard drive, a thumb drive, or a flashmemory that is connected to data processing system 200. The tangibleform of computer-readable media 218 is also referred to ascomputer-recordable storage media. In some instances,computer-recordable media 218 may not be removable.

Alternatively, program code 216 may be transferred to data processingsystem 200 from computer-readable media 218 through a communicationslink to communications unit 210 and/or through a connection toinput/output unit 212. The communications link and/or the connection maybe physical or wireless in the illustrative examples. Thecomputer-readable media also may take the form of non-tangible media,such as communications links or wireless transmissions containing theprogram code. The different components illustrated for data processingsystem 200 are not meant to provide architectural limitations to themanner in which different embodiments may be implemented. The differentillustrative embodiments may be implemented in a data processing systemincluding components in addition to or in place of those illustrated fordata processing system 200. Other components shown in FIG. 2 can bevaried from the illustrative examples shown. As one example, a storagedevice in data processing system 200 is any hardware apparatus that maystore data. Memory 206, persistent storage 208, and computer-readablemedia 218 are examples of storage devices in a tangible form.

In another example, a bus system may be used to implement communicationsfabric 202 and may be comprised of one or more buses, such as a systembus or an input/output bus. Of course, the bus system may be implementedusing any suitable type of architecture that provides for a transfer ofdata between different components or devices attached to the bus system.Additionally, a communications unit may include one or more devices usedto transmit and receive data, such as a modem or a network adapter.Further, a memory may be, for example, memory 206 or a cache such asfound in an interface and memory controller hub that may be present incommunications fabric 202.

Computer program code for carrying out operations of the presentinvention may be written in any combination of one or more programminglanguages, including an object-oriented programming language such asJava™, Smalltalk, C++, C#, Objective-C, or the like, and conventionalprocedural programming languages. The program code may execute entirelyon the user's computer, partly on the user's computer, as a stand-alonesoftware package, partly on the user's computer and partly on a remotecomputer, or entirely on the remote computer or server. In the latterscenario, the remote computer may be connected to the user's computerthrough any type of network, including a local area network (LAN) or awide area network (WAN), or the connection may be made to an externalcomputer (for example, through the Internet using an Internet ServiceProvider).

Those of ordinary skill in the art will appreciate that the hardware inFIGS. 1-2 may vary depending on the implementation. Other internalhardware or peripheral devices, such as flash memory, equivalentnon-volatile memory, or optical disk drives and the like, may be used inaddition to or in place of the hardware depicted in FIGS. 1-2. Also, theprocesses of the illustrative embodiments may be applied to amultiprocessor data processing system, other than the SMP systemmentioned previously, without departing from the spirit and scope of thedisclosed subject matter.

As will be seen, the techniques described herein may operate inconjunction within the standard client-server paradigm such asillustrated in FIG. 1 in which client machines communicate with anInternet-accessible Web-based portal executing on a set of one or moremachines. End users operate Internet-connectable devices (e.g., desktopcomputers, notebook computers, Internet-enabled mobile devices, or thelike) that are capable of accessing and interacting with the portal.Typically, each client or server machine is a data processing systemsuch as illustrated in FIG. 2 comprising hardware and software, andthese entities communicate with one another over a network, such as theInternet, an intranet, an extranet, a private network, or any othercommunications medium or link. A data processing system typicallyincludes one or more processors, an operating system, one or moreapplications, and one or more utilities. The applications on the dataprocessing system provide native support for Web services including,without limitation, support for HTTP, SOAP, XML, WSDL, UDDI, and WSFL,among others. Information regarding SOAP, WSDL, UDDI and WSFL isavailable from the World Wide Web Consortium (W3C), which is responsiblefor developing and maintaining these standards; further informationregarding HTTP and XML is available from Internet Engineering Task Force(IETF). Familiarity with these standards is presumed.

Cloud computing is a model of service delivery for enabling convenient,on-demand network access to a shared pool of configurable computingresources (e.g. networks, network bandwidth, servers, processing,memory, storage, applications, virtual machines, and services) that canbe rapidly provisioned and released with minimal management effort orinteraction with a provider of the service. This cloud model may includeat least five characteristics, at least three service models, and atleast four deployment models, all as more particularly described anddefined in “Draft NIST Working Definition of Cloud Computing” by PeterMell and Tim Grance, dated Oct. 7, 2009.

In particular, the following are typical characteristics:

On-demand self-service: a cloud consumer can unilaterally provisioncomputing capabilities, such as server time and network storage, asneeded automatically without requiring human interaction with theservice's provider.

Broad network access: capabilities are available over a network andaccessed through standard mechanisms that promote use by heterogeneousthin or thick client platforms (e.g., mobile phones, laptops, and PDAs).

Resource pooling: the provider's computing resources are pooled to servemultiple consumers using a multi-tenant model, with different physicaland virtual resources dynamically assigned and reassigned according todemand. There is a sense of location independence in that the consumergenerally has no control or knowledge over the exact location of theprovided resources but may be able to specify location at a higher levelof abstraction (e.g., country, state, or datacenter).

Rapid elasticity: capabilities can be rapidly and elasticallyprovisioned, in some cases automatically, to quickly scale out andrapidly released to quickly scale in. To the consumer, the capabilitiesavailable for provisioning often appear to be unlimited and can bepurchased in any quantity at any time.

Measured service: cloud systems automatically control and optimizeresource use by leveraging a metering capability at some level ofabstraction appropriate to the type of service (e.g., storage,processing, bandwidth, and active user accounts). Resource usage can bemonitored, controlled, and reported providing transparency for both theprovider and consumer of the utilized service.

The Service Models typically are as follows:

Software as a Service (SaaS): the capability provided to the consumer isto use the provider's applications running on a cloud infrastructure.The applications are accessible from various client devices through athin client interface such as a web browser (e.g., web-based e-mail).The consumer does not manage or control the underlying cloudinfrastructure including network, servers, operating systems, storage,or even individual application capabilities, with the possible exceptionof limited user-specific application configuration settings.

Platform as a Service (PaaS): the capability provided to the consumer isto deploy onto the cloud infrastructure consumer-created or acquiredapplications created using programming languages and tools supported bythe provider. The consumer does not manage or control the underlyingcloud infrastructure including networks, servers, operating systems, orstorage, but has control over the deployed applications and possiblyapplication hosting environment configurations.

Infrastructure as a Service (IaaS): the capability provided to theconsumer is to provision processing, storage, networks, and otherfundamental computing resources where the consumer is able to deploy andrun arbitrary software, which can include operating systems andapplications. The consumer does not manage or control the underlyingcloud infrastructure but has control over operating systems, storage,deployed applications, and possibly limited control of select networkingcomponents (e.g., host firewalls).

The Deployment Models typically are as follows:

Private cloud: the cloud infrastructure is operated solely for anorganization. It may be managed by the organization or a third party andmay exist on-premises or off-premises.

Community cloud: the cloud infrastructure is shared by severalorganizations and supports a specific community that has shared concerns(e.g., mission, security requirements, policy, and complianceconsiderations). It may be managed by the organizations or a third partyand may exist on-premises or off-premises.

Public cloud: the cloud infrastructure is made available to the generalpublic or a large industry group and is owned by an organization sellingcloud services.

Hybrid cloud: the cloud infrastructure is a composition of two or moreclouds (private, community, or public) that remain unique entities butare bound together by standardized or proprietary technology thatenables data and application portability (e.g., cloud bursting forload-balancing between clouds).

A cloud computing environment is service-oriented with a focus onstatelessness, low coupling, modularity, and semantic interoperability.At the heart of cloud computing is an infrastructure comprising anetwork of interconnected nodes. A representative cloud computing nodeis as illustrated in FIG. 2 above. In particular, in a cloud computingnode there is a computer system/server, which is operational withnumerous other general purpose or special purpose computing systemenvironments or configurations. Examples of well-known computingsystems, environments, and/or configurations that may be suitable foruse with computer system/server include, but are not limited to,personal computer systems, server computer systems, thin clients, thickclients, hand-held or laptop devices, multiprocessor systems,microprocessor-based systems, set top boxes, programmable consumerelectronics, network PCs, minicomputer systems, mainframe computersystems, and distributed cloud computing environments that include anyof the above systems or devices, and the like. Computer system/servermay be described in the general context of computer system-executableinstructions, such as program modules, being executed by a computersystem. Generally, program modules may include routines, programs,objects, components, logic, data structures, and so on that performparticular tasks or implement particular abstract data types. Computersystem/server may be practiced in distributed cloud computingenvironments where tasks are performed by remote processing devices thatare linked through a communications network. In a distributed cloudcomputing environment, program modules may be located in both local andremote computer system storage media including memory storage devices.

Referring now to FIG. 3, by way of additional background, a set offunctional abstraction layers provided by a cloud computing environmentis shown. It should be understood in advance that the components,layers, and functions shown in FIG. 3 are intended to be illustrativeonly and embodiments of the invention are not limited thereto. Asdepicted, the following layers and corresponding functions are provided:

Hardware and software layer 300 includes hardware and softwarecomponents. Examples of hardware components include mainframes, in oneexample IBM® zSeries® systems; RISC (Reduced Instruction Set Computer)architecture based servers, in one example IBM pSeries® systems; IBMxSeries® systems; IBM BladeCenter® systems; storage devices; networksand networking components. Examples of software components includenetwork application server software, in one example IBM WebSphere®application server software; and database software, in one example IBMDB2® database software. (IBM, zSeries, pSeries, xSeries, BladeCenter,WebSphere, and DB2 are trademarks of International Business MachinesCorporation registered in many jurisdictions worldwide)

Virtualization layer 302 provides an abstraction layer from which thefollowing examples of virtual entities may be provided: virtual servers;virtual storage; virtual networks, including virtual private networks;virtual applications and operating systems; and virtual clients.

In one example, management layer 304 may provide the functions describedbelow. Resource provisioning provides dynamic procurement of computingresources and other resources that are utilized to perform tasks withinthe cloud computing environment. Metering and Pricing provide costtracking as resources are utilized within the cloud computingenvironment, and billing or invoicing for consumption of theseresources. In one example, these resources may comprise applicationsoftware licenses. Security provides identity verification for cloudconsumers and tasks, as well as protection for data and other resources.User portal provides access to the cloud computing environment forconsumers and system administrators. Service level management providescloud computing resource allocation and management such that requiredservice levels are met. Service Level Agreement (SLA) planning andfulfillment provides pre-arrangement for, and procurement of, cloudcomputing resources for which a future requirement is anticipated inaccordance with an SLA.

Workloads layer 306 provides examples of functionality for which thecloud computing environment may be utilized. Examples of workloads andfunctions which may be provided from this layer include: mapping andnavigation; software development and lifecycle management; virtualclassroom education delivery; data analytics processing; transactionprocessing; and others (e.g., enterprise-specific functions in a privatecloud).

It is understood in advance that although this disclosure includes adetailed description on cloud computing, implementation of the teachingsrecited herein are not limited to a cloud computing environment. Rather,embodiments of the present invention are capable of being implemented inconjunction with any other type of computing environment now known orlater developed.

Hybrid cloud environments drive the need for secure communicationbetween applications between different hosting environments. As thenumber of applications and platforms grows, the number of securecommunication paths grows rapidly. Prior art dedicated VPNs create largecommunication channels in environments that need to be secured. Manytransmission needs are highly-granular requirements, such as eventmanagement, wherein log data is sent from many devices to a centralserver; traditional VPN use wide communication channels which areunneeded and pose security risks. Other examples of applications whichtransmit small amounts of data between clouds include applicationstrying to sync data on a periodic basis, e.g., once in a month, ormonitoring applications which send regular but small amounts of data.

Prior art software VPNs can partially solve this problem by creatingcommunication paths for particular applications or particular clouds,however, application-based solutions generally apply only to a singleapplication, can be hard to manage, can be hard to monitor, and do nottake advantage of efficiency of scale.

The present invention includes embodiments that dynamically deploy andreconfigure highly-tuned VPNs based on application requirements frommultiple applications and provide optimal topologies for the hybridcloud environments.

At a high level, the general process for embodiments of the invention isillustrated in FIG. 4. As shown in step 401, the cloud applications,whether they are in the private cloud or public cloud, interact with acentral VPN Manager to request tunnel creation. The central VPN Managercan be installed in either the public or private clouds and provided tothe organization as a SaaS, a PaaS, or an IaaS capability. For the sakeof simplicity, the flow which results from the requests of a singlecloud application is shown. However, in a preferred embodiment, multiplecloud applications will be interacting with the VPN Managersimultaneously, and the process depicted in FIG. 4 may be in differentstages for respective applications. In step 403, the applicationrequesting the creation of a VPN tunnel provides the desiredrequirements for the VPN tunnel such as protocol, port, bandwidth limit,and other characteristics, e.g., the security qualities and thethroughput capabilities.

Next, in step 405, the VPN Manager provides a VPN endpoint agent, orsimply “VPN agent”, for installation on the requesting machine, oranother machine in the same cloud. In preferred embodiments, the VPNagent is then installed in the target machine. The VPN endpoint agentmay vary slightly to accommodate the requirements of the requestingmachine, for example, a Linux based system versus an iOS based system.In some embodiments of the invention, the VPN agents may be specialized,configured in different types, and the type of VPN agent assigned to aparticular VPN tunnel varies according the requested qualities andcapabilities for the VPN tunnel. In other embodiments of the invention,a generic, full featured VPN agent is used which can provide a varietyof VPN tunnel types. Depending on whether the request is theapplication's, or whether another application resident on the samemachine has made a previous request, a VPN agent may already be presentat the endpoint, or a nearby machine. Further, embodiments of theinvention use existing agents, such as Chef agents, or an API toexisting VPN controllers, rather than deploying a VPN agent. So step 405is optional in many embodiments of the invention. In step 407, the VPNagent communicates with the VPN Manager to receive deploymentconfiguration details as requested previously by the application, anddeploys the VPN tunnel according to those details.

As shown in step 409, the requesting applications can change thedesired, requested security qualities and throughput capabilitiesthroughout the application lifecycle for the VPN tunnel. The “tuning” ofthe VPN tunnel can change the security and other capabilities of thetunnel or, as discussed below, may involve merging or splitting the VPNtunnels to accommodate the changing requirements of the cloudapplications. For example, in the case of changing the characteristicsof the VPN tunnel, the VPN Manager may instruct the VPN agents to changea VPN tunnel from a big VPN pipe, two-way, fast security protocol tunnelused during deployment to a VPN tunnel which is a small one-way, verysecure VPN pipe for production. The VPN network can be tuned to optimizesecurity by only allowing the traffic and permissions needed by theauthorized applications on a minimum number of VPN tunnels. Trafficperformance can be increased by providing more VPN tunnels with a higherallowed bandwidth, at a possible cost to security. In one preferredembodiment, applications will communicate to the VPN Manager and the VPNManager in turn will communicate to the VPN agents on the two endpointsof the VPN tunnel. This step, that is, dynamically changing thethroughput and security qualities of a VPN tunnel, can be repeatedthroughout the application lifecycle.

As shown in step 411, the application can provide a VPN filter plugin tothe VPN Manager. The VPN filter will be used to filter traffic passingover the VPN tunnel. VPN filters provide the ability to permit or denytraffic after it exits a VPN tunnel and traffic before it enters a VPNtunnel generally by listing the ACL fields for what IP/Port(s) should bepermitted or denied. This step can be done as part of the request step403, or later as part of the changing security qualities, e.g., as partof the change request in step 409. A VPN filter originally requested instep 403, could be superseded or supplemented by a later requested VPNfilter. This step, requesting a new VPN filter, can be repeatedthroughout the application lifecycle. The VPN filter on a particular VPNtunnel can be modified in response to requests from other applicationswhich share the communication bandwidth of the VPN tunnel, when the VPNtunnel is merged with other VPN tunnels or split into multiple VPNtunnels.

By event and traffic logging, the VPN Manager provides visibility intothe VPN configuration, shown as step 413. In most preferred embodimentsof the invention, event logging is provided. In some embodiments,traffic logging is provided as well. In one preferred embodiment, theevent and traffic logging are VPN Manager related audit events. In otherembodiments of the invention, the events related to applicationsconnecting to other applications can be logged via the VPN agent. Forexample, the bandwidth used by the applications, including bandwidthhistory, may be logged by the VPN agents. In yet other embodiments,application communication traffic may be logged by the agents. Securityrelated events will be consumed by Security Operations Center (SOC) formonitoring for security breaches. Event and traffic logging aredescribed in greater detail below in connection with FIG. 8.

In preferred embodiments of the invention, the VPN Manager will routeand reroute traffic across existing VPN agents and deploy new VPN agentsto optimize traffic flow as needed, step 415. In response to detecteddrops in traffic, for example, using available traffic logs which arestored and monitored, the VPN Manager can instruct the VPN agents tomerge VPN tunnels, if the security requirements for the traffic on thetwo VPN tunnels are compatible. The detecting could be performed at theVPN agent which monitors application traffic. Alternatively, merging VPNtunnels could be in response to a well-behaved application, sending amessage to the VPN Manager that it has transitioned from a deploymentphase to a production phase, and thus, requires less bandwidth. The VPNManager determines that in view of the predicted reduction in demand,there is an opportunity to merge VPN tunnels. Alternatively, newrequests from new or existing applications may cause new VPN agents tobe created to handle a new anticipated load or requirement. The securityrequirements of the applications may change with the applicationlifecycle which may create the need for new VPN agents. This step mayentail reassigning different VPN agents to different VPN tunnels,killing unneeded VPN agents and creating and providing new VPN agents tohandle the merged VPN tunnel, or to handle a new VPN tunnel, if newtraffic is expected.

Also as depicted as step 417, the VPN tunnels may need to bereconfigured because requests made by the applications during thelifecycle of the applications, monitored traffic changes, or due tochanges in the machines on which the applications reside. As theapplication topology changes and machines get moved, the VPN Managerwill instruct the VPN agents to reconfigure, merge and split VPNs asneeded. According to the invention, “splitting” a VPN tunnel involvesrerouting traffic from existing applications or machines which werepreviously handled by a single VPN tunnel to two VPN tunnels. Incontrast, adding or creating a new VPN tunnel meets a new applicationrequest from an application which has not been previously served by theVPN Manager, but involves only traffic from a new source. The split ofthe VPN tunnel can contain traffic from new sources, but to beconsidered a split, some of the traffic on each of the VPN tunnels mustcome from existing sources. To a degree, the reconfiguration of the VPNtunnels and the preceding step of reconfiguring the VPN agents aresimilar steps as the VPN agents may need to be reconfigured andreassigned concurrently with the VPN tunnels, however, in the drawing,reconfiguring VPN agents and reconfiguring VPN tunnels are shown asseparate steps for sake of clarity.

In a preferred embodiment of the invention, the capabilities of the VPNManager, in concert with the VPN agents at the endpoints include theability to create new VPN tunnels between different clouds within thehybrid cloud environment. The VPN Manager has the ability to configuretunnel policies, such as bandwidth thresholds (minimum and maximum) andsecurity policies. The VPN Manager has the ability to federate withother VPN Managers which manage other cloud environments. The VPNManager can optimize VPN tunnel infrastructure by merging or splittingVPN tunnels dynamically in response to new requests, changes in theapplication lifecycle, changes in traffic or network reconfiguration orto dynamically configure VPN tunnel specifications for existing VPNtunnels. The VPN tunnel policies are used by the VPN Manager to decidewhether a proposed optimization is allowed, and whether a new requestfor VPN service can be accommodated by the existing VPN tunnelinfrastructure or will require VPN tunnels to be merged, added, split orreconfigured.

Creating and maintaining a VPN tunnel is well known in the prior art.The VPN tunnel can be created according to the requirements specified bythe administrator or requesting application. A VPN tunnel can be createdby a software application or by a dedicated hardware device. The problemwhich the invention addresses is that once created, the prior art VPNtunnels are static and do not adapt to changes in the cloud environmentsuch as application lifecycle changes and network topology changes.Because of their static natures, the prior art VPN tunnels present moreof a security exposure than the those of the present invention. Thepresent invention tunes the infrastructure of VPN tunnels to allow onlythe necessary traffic between cloud environments within the overallhybrid cloud environment.

More detailed descriptions of selected illustrative embodiments areprovided below. As shown in FIG. 5, one preferred embodiment of theinvention is used in a hybrid cloud environment that integrateson-premise infrastructure 501 hosting a private cloud, cloud workload onan IaaS infrastructure 503, and an application in a SaaS environment505. The figure also depicts a VPN Manager 508 operating in a genericcloud environment 507. The generic cloud environment 507 in which theVPN Manager 508 is resident can be either a private cloud or a publiccloud. Machines A-D are shown resident in IaaS infrastructure 501,machines E and F are shown in the SaaS environment 505, machines G-J areshown in the private cloud 501 and machines K and L are shown in thegeneric cloud environment 507. Log and Event Manager 512 is shownresident on machine M. VPN Manager 508 is resident on either machine Kor machine L.

As shown in FIG. 5, VPN tunnels 509 and 511 are configured according toan illustrative embodiment of the invention. In this embodiment of theinvention, an administrator is configuring the VPN tunnels using a userinterface. In other embodiments of the invention, VPN Manager awareapplications make requests directly to the VPN Manager. Theadministrator has Machine A contact the VPN Manager 508 and request aVPN tunnel connection 511 to Machine M so that log and event informationcan be reported to the log and event manager 512. As part of thisrequest, Machine A provides the desired requirements 513 for the VPNtunnel:

PROTOCOL: SYSLOG

PORT: 541

SOURCE: 10.1.1.5

TARGET: 9.1.2.20

BANDWIDTH: NO LIMIT

FILTER: A (/^app1[a-z]{0,10}$/)

SECURITY POLICY A

Those skilled in the art would appreciate that other parameters can begiven as VPN tunnel requirements and that these are merely illustrative.

The inclusion of a security policy is optional. A security policy wouldmost likely be included by a VPN Manager aware application. In lieu of aprovided security policy, the VPN Manager will construct a securitypolicy from the requirements provided by the requesting machine orapplication. Further, there may be a default security policy forcommunication between the respective clouds within the hybrid cloudenvironment. In the event of a conflict between a default securitypolicy and provided or constructed security policy, the VPN Manager mayissue an alert to the administrator via a user interface or have rulesfor resolving such conflicts, e.g., a provided security policy hasprecedence over a default security policy. Although both securityrequirements and security policies can be used in embodiments of theinvention, in preferred embodiments of the invention, these terms havethe following meanings. A “security requirement” is a security typeparameter that the requesting machine requires to be present in a VPNtunnel. Examples of security requirements include a VPN protocol andencryption security protocol to be used. A “security policy” wouldindicate how the security requirements are to be used in a VPN tunnel.It could be a mandate that the VPN only use the security requirementsspecified by the requestor. As another example, if a requestor specifiedsecurity requirement, a limited subset of compatible protocols which ifrequested by another requestor or used by another VPN tunnel which wouldform a basis for a candidate for joining the existing VPN tunnel ormerger of the VPN tunnels. Alternatively, a security policy could bepermissive allowing any security requirements specified by requestorsfrom the same cloud to be included in the VPN tunnel, but no othersecurity protocols if not requested by authorized machines. As anotherexample, a security policy could state that certain securityrequirements were not compatible in the same VPN tunnel. Thus, a“security policy” can be used to evaluate whether the “securityrequirements” of a plurality of applications or a plurality of VPNtunnels are compatible.

In one preferred embodiment, if the VPN Manager 508 has no prior contactwith Machine M, the VPN Manager 508 awaits a connection from Machine M.In this embodiment, the administrator registers Machine M with the VPNManager. In response to the request or registration, the VPN Manager 508installs VPN agents 515, 517 respectively on Machine M and Machine A.Next, acting through the installed VPN agents 515, 517, the VPN Manager508 configures the VPN 511 between Machine A and Machine M with thespecified parameters in the Machine A request 513 (syslog, port,unidirectional, bandwidth, etc.). That is, the VPN Manager 508 issuesinstructions and configuration requirements to the VPN agents which theVPN agents (or other existing entities) carry out. As is known to thoseskilled in the art, the VPN tunnel would use a selected VPN securitytechnology, such as the Internet Protocol security (IPsec), SecureSocket Layer/Transport Layer Security (SSL/TLS), or multiprotocol labelswitching (MPLS) to secure the tunnel. Other VPN security protocolsinclude Datagram Transport Layer Security (DTLS), MICROSOFT™Point-to-Point Encryption (MPPE), and Secure Shell (SSH) protocols. TheVPN security requirements in the Machine A could include the selectionof the VPN security protocol as well as the capabilities to encrypt dataaccording to different encryption standards such as support dataencryption standards (DES)/Triple DES (3DES) and Advanced EncryptionStandard (AES) with different key sizes or multicast or group encryptionstandards. The VPN security requirements can include the ability tocompress data according to a standard such as Lempel-Ziv-Stac (LZS)prior to encryption.

The administrator next has Machine B contact VPN Manager and request aVPN connection to Machine M. As part of this request, Machine B providesthe desired requirements 519 for the VPN:

PROTOCOL: SCP

PORT: 22

SOURCE: 10.1.1.5

TARGET: 9.1.2.20

BANDWIDTH: NO LIMIT

FILTER: B (/^app2[a-z]{0,30}$/)

SECURITY POLICY B

In response to the request, the VPN Manager 508 installs a VPN agent onMachine B. The VPN Manager identifies the pre-existing nearby VPN tunnel511 originating from Machine A. After establishing that Machine A's andMachine B's security policies are compatible, the VPN Manager 508configures Machine B via the VPN agent on Machine B to send specifiedtraffic to Machine A. Specified traffic is that traffic allowed by thesecurity policies. For example, certain security policies may allow onlyhttp traffic and not ftp traffic on the VPN tunnel. Then, the VPNManager 508 reconfigures the A to M VPN tunnel 511 to include the VPNfilters from the Machine B requirements 519. In this way, an existingVPN tunnel 511 from one machine can be reconfigured to pass traffic fromanother machine in the same cloud 503. The resulting VPN tunnel 511 hasthe following properties 521: Unidirectional, two packet types (one fromeach of the applications), two protocols (syslog and SCP), coming fromtwo sources. The aggregate VPN filter for VPN tunnel 511 is morepermissive in that it now allows traffic from two sources and two packettypes, however, in the preferred embodiment, the VPN filter still checksthat the correct packet type is coming from the correct machine.

In this illustrative embodiment, the VPN Manager 508 can manage VPNtunnels between more than two clouds in which the organization hasmachines. Continuing the example, the administrator requests that a VPNtunnel from Machine F from Generic SaaS Application in SaaS environment505 to the Log and Event Manager 512 in private cloud 501 be created.Either the administrator or the Generic SaaS Application owner makes arequest to the VPN Manager using the administrator supplied credentialsto create a VPN tunnel. The request contains the desired requirements523 for the VPN:

PROTOCOL: SCP

PORT: 80

SOURCE: 15.1.1.5

TARGET: 9.1.2.20

BANDWIDTH: NO LIMIT

FILTER: C (/^app3[a-z]{0,50}$/)

In response to the request, the VPN Manager 508 installs a VPN agent 522on Machine F. Through the VPN agent 522, the VPN Manager 508 configuresa VPN tunnel between Machine F and Machine M with the specified filtersfrom the initial request 523.

In this illustrative embodiment, Machines A and B provide log and eventdata to the Log and Event Manager on Machine M through VPN tunnel 511,and Machine F provides such data through VPN tunnel 509. As shown in thefigure, co-located Machines G and I also provide log and event data tothe Log and Event Manager. As Machines G and I can communicate directlythrough the private network in private cloud 501 with Machine M, thereis no need to involve the VPN Manager 508.

The steps described above provide an illustrative example of the initialconfiguration of the VPN tunnels. As will be discussed below, as theneeds of the applications change during their lifecycle, a well behavedapplication can issue further requests to change the parameters neededfor the tunnel. For example, during deployment or other periods of highusage, the application will require a high bandwidth through the tunnel.At other times, for example, during routine monitoring, the applicationwill require a lower bandwidth. The application can issue furtherrequests changing the requested bandwidth. In alternative embodiments,the VPN agent managing the VPN tunnel can monitor traffic coming from aset of applications. If the monitored traffic is much lower thanrequested, the VPN agent or VPN Manager can recognize an opportunity tomerge the tunnel with another suitable or reconfigure the tunnel for alower bandwidth. At end of life, e.g., when the application isuninstalled, as part of the uninstallation process a well behavedapplication will inform the VPN Manager that a VPN tunnel is no longerrequired. The security requirements of an application can also changeduring its lifecycle. In yet other embodiments of the invention, theevent and logging information is presented to an administrator who canissue requests for changing the VPN agent and VPN tunnel configurationbased on perceived application lifecycle changes from the event andlogging information.

FIG. 6 depicts one embodiment of an administrator view in a graphicaluser interface 600 in a sample dashboard provided by the VPN Manager.One skilled in the art will appreciate that other alternative userinterfaces can be provided according to the teachings of the invention.In this view, a current status view of the VPN tunnels is shown justafter the initial configuration described in association with FIG. 5. Inthis embodiment of the current status view, only the existing VPNtunnels, the clouds connected by the VPN tunnels and machines using theVPN tunnels are depicted and not the other components in the hybridcloud environment. Other embodiments of the current status view wouldshow other components. Machine M in private network 601 is shownrespectively coupled to IaaS infrastructure 603 and SaaS environment 605by VPN tunnel 611 and VPN tunnel 609. The requested configurationparameters from Machine A are shown in panel 613, while the requestedconfiguration parameters from Machine B are shown in panel 619. Theresulting VPN parameters of VPN tunnel 611 are shown in panel 621.Similarly, the requested configuration parameters from machine F areshown in panel 623 while the resulting VPN parameters for VPN tunnel 609are shown in panel 625. In one preferred embodiment, each of the panels613, 619, 621, 623 and 625 are editable by the system administrator. Byediting one of the requested configuration parameter panels 613, 619 or623, a new request is made to the VPN Manager for the VPNcharacteristics desired by one of the machines or applications runningon the machines. Once that request is executed, an update to the VPNcharacteristics would be shown in the appropriate VPN parameters panel621 or 625.

If insufficient space was available in the panel, a scroll control wouldbe presented, allowing the administrator to scroll through all of theavailable parameters. Non-editable parameters could be presented in agreyed out manner. Other views of the network are envisioned inpreferred embodiments of the invention. For example, all of the machinesin the networks could be presented so that new VPN connections could becreated. A point and drag mechanism could be used to define the newtunnel. In response to a point and drag operation by the administrator,default editable parameters could be populated in the requestedconfiguration panel which the administrator could edit or submit. Inanother alternative embodiment, an application view can be presentedshowing the applications operating in each of the environments ratherthan the machines.

Alerts can be presented. For example, in one preferred embodiment, VPNtunnel 611 or VPN parameter panel 621 is presented in a highlightedmanner, indicating an action for the administrator's attention. Forexample, highlighting two tunnels in the interface may indicate anopportunity for merging the two tunnels to provide more efficientservice. Highlighting a single tunnel may indicate that the throughputis exceeding the capacity of the tunnel, or that a new request forservice cannot be accommodated with the existing tunnel because of aconflict between a new set of requirements and the already existing VPNparameters for the tunnel created by prior requests. If the highlightedtunnels were selected by the administrator, additional details, such asevent logs and throughputs which were causes of the alerts can bepresented in additional panels.

The VPN Manager would expose options to manually add, delete andreconfigure VPN agents and VPN tunnels. In one preferred embodiment, theuser interface (UI) would be a UI+REST API interface. The Web based UIwill use the REST API or an external application could use the REST APIdirectly.

In FIG. 7A, an illustrative embodiment of reconfiguration of the VPNtunnels is shown. This example shows an example of a network topologychange which causes the VPN Manager 708 to change the VPN tunnelinfrastructure of the hybrid cloud. In the example, it is the removal ofa machine from one of the clouds. Other network topology changes includethe addition or removal of a cloud application, the addition of a“clone” machine having a same cloud application as another machine,e.g., for load balancing, moving a cloud application from one machine toanother machine and moving a cloud application from one cloud to anothercloud, e.g., from a private cloud to a public cloud. In preferredembodiments of the invention, this sort of network topology change willbe sent to the VPN Manager 708 as an “event” and the VPN Manager 708will either perform automatic reconfiguration of the VPN tunnelinfrastructure or present an alert to the administrator as a situationwhich is a candidate for a VPN tunnel reconfiguration.

As denoted by the “X”, the administrator removes Machine A from the IaaSinfrastructure 703, which triggers a reconfiguration of Machine Btraffic handled by Machine A. As the administrator begins removal ofMachine A, the VPN agent 704 on Machine A contacts VPN Manager in thecloud 707. The VPN Manager analyzes the combined VPN connections in VPNtunnel 711, in this case, the VPN tunnel 711 which originates fromMachine A also handles traffic from Machine B. The VPN Manager 708instructs VPN agent 712 on Machine B to create a Machine B to Machine MVPN tunnel 720 using pre-existing requirements, i.e. the existingrequirements from Machine B and any other machine in IaaS infrastructure703 which had been using VPN tunnel 711. Since Machine A is beingremoved, none of its requirements are relevant. Only the Machine Brequirements are used when setting up the VPN filter for the tunnel. Inthe diagram, the Machine B requirements when requesting VPN service areillustrated. Machine B had provided the desired requirements 719 for theVPN:

PROTOCOL: SCP

PORT: 22

SOURCE: 10.1.1.5

TARGET: 9.1.2.20

BANDWIDTH: NO LIMIT

FILTER: B (/^app2[a-z]{0,30}$/)

SECURITY POLICY B

As shown, the VPN parameters 721 for the new VPN tunnel 720 aredifferent from the parameters 521 for the combined VPN tunnel 511 shownin FIG. 5, or VPN tunnel 711 in this figure. VPN tunnel 711 is removedas denoted by the “X”. By only accommodating requested parameters fromrecognized machines which have current VPN tunnel needs, security isincreased.

FIG. 7A can also be used to discuss the removal of an application frommachine A. In this case, once the new VPN tunnel 720 is created, the VPNManager 708 optionally removes the A to M VPN tunnel 711. Alsooptionally, the VPN Manager 708 uninstalls VPN agent 704 on Machine A.These optional steps produce a well behaved system, and reduce thesecurity risk of maintaining the VPN tunnel and VPN agent when there areno subscribing, authorized applications resident on Machine A. However,alternative embodiments could keep the VPN tunnel or VPN agent alive, toreduce the overhead of starting a new VPN agent in case a newapplication request was made to the VPN Manager.

In embodiments of the invention, there are sets of rules for merging andsplitting the VPN tunnels. Security based rules are concerned withwhether the security requirements or policies of each of theapplications being serviced by or potentially being serviced by a VPNtunnel are compatible with the other applications' security requirementsor policies. Merging VPN tunnels would be conditioned on the securityrequirements of the applications being serviced by candidate VPN tunnelsbeing compatible. In embodiments of the invention, the compatibility ofthe security requirements are interpreted based on the security policiesof the applications or the security policy of the VPN Manager for cloudto cloud communication. For example, if one VPN tunnel allows only httptraffic and another VPN tunnel allows only ftp traffic due to theapplication security policies, then the two tunnels cannot be merged.However, if both tunnels allow http traffic or all traffic, then theycan be merged. As another example, the two applications on two differentVPN tunnels may require two different security or encryption protocols,and the security policy of the VPN Manager in effect for communicationbetween the two clouds requires that a single encryption protocol beused. Thus, an application security requirement or policy can preventmerger of VPN tunnels which might otherwise be merged for throughputefficiency.

In view of a new request from an application containing a new set ofsecurity requirements, an evaluation of the current VPN in view of acompatibility rule could cause the current VPN tunnel to be split. In apreferred embodiment, compatibility for a potential merge is determinedby evaluating the security requirements and VPN filters on the two VPNtunnels for direct conflicts. If a conflict is found, in someembodiments, a user interface may display the candidate VPN tunnels toan administrator to display the conflicts and the changes needed to makethe VPN tunnels compatible. In this way, an administrator can decide ifmodifying the VPN filter, adding additional types of traffic or securityor encryption protocols to the current VPN would be acceptable from asecurity standpoint. Another case when the VPN tunnel can be split in anembodiment is when the security requirements change of one of theapplications which use a shared VPN tunnel. For example, if anapplication now wants to transmit ftp traffic in addition to theoriginal http traffic and the current VPN tunnel does not allow ftptraffic, then the VPN tunnel could be split. As another example, if oneof the applications wants a higher level of encryption than the currentVPN tunnel, it may make sense to split the current VPN tunnel, ratherthan to incur higher overhead on all traffic. Other compatibility basedrules, for parameters other than security based parameters, are used inother embodiments of the invention.

Another set of rules is based on bandwidth or throughput of a VPNtunnel. A bandwidth rule can be based on an upper or lower threshold onbandwidth, for example. Splitting VPN tunnels can be performed if thetraffic of multiple applications is crossing the permissible tunnellimit (bandwidth). In this case, the VPN Manager will then split thetunnel. Merging VPN tunnels can be performed if one or more compatibleVPN tunnels has a bandwidth below the minimum tunnel bandwidth limit.

In FIG. 7B, an illustrative embodiment of reconfiguration and mergingthe VPN tunnels is shown. This example shows the case where the demandsfrom the applications on machines A and B have changed because ofreduced bandwidth requirements allowing merger of VPN tunnels 711 and720. Another case which would allow a merger of the VPN tunnels is achange in security protocols for one of the applications so that the newset of security protocols is compatible according to security policiesin effect. As shown, VPN tunnel 711 is being removed between the clouds701 and 703 as the other VPN tunnel 720 can accommodate the aggregatedemand. In preferred embodiments of the invention, the traffic (inaddition to security requirements) on the two VPN tunnels must becompatible for merger. In preferred embodiments of the invention, theVPN Manager 708 receives information from the VPN agents 704 and 712assigned to Machine A and Machine B. The VPN Manager reconfigures VPNagent 712 on Machine B to modify the Machine B to Machine M VPN tunnel720 adding requirements, i.e. the existing requirements from Machine Awhich had been using VPN tunnel 711. In the diagram, the Machine Arequirements 739 and Machine B requirements 719 are illustrated. MachineA provides the desired requirements 739 for the VPN tunnel:

PROTOCOL: SYSLOG

PORT: 541

SOURCE: 10.1.1.5

TARGET: 9.1.2.20

BANDWIDTH: NO LIMIT

FILTER: A (/^app1[a-z]{0,10}$/)

Machine B had provided the desired requirements 719 for the VPN:

PROTOCOL: SCP

PORT: 22

SOURCE: 10.1.1.5

TARGET: 9.1.2.20

BANDWIDTH: NO LIMIT

FILTER: B (/^app2[a-z]{0,30}$/)

As shown, the VPN parameters 751 for the modified VPN tunnel 720 aredifferent from the parameters from the individual VPN tunnels 711 and720 when they were supporting a single application. By onlyaccommodating requested parameters from recognized machines, security isincreased. In this figure, the VPN agent 704 on Machine A forwards thetraffic from Machine A to the VPN agent 712 on Machine B so that VPNtunnel 720 can handle the combined traffic.

In FIG. 7C, an illustrative embodiment of splitting a VPN tunnel 720 isshown. In this example, VPN tunnel 720 is no longer adequate to handlethe communications from both Machine A and Machine B. The splitting ofVPN tunnel can be the result of an administrator action or a request bya VPN Manager aware application indicating that its requirements havechanged or will change soon. The VPN Manager analyzes the combined VPNconnections in VPN tunnel 720 which originates from Machine B alsohandles traffic from Machine A and can display an alert to anadministrator via a user interface. In this example, a new set ofrequirements 759 is received from the application running on Machine Aindicating an expected increase in demand due to an update which willrequire a bidirectional VPN tunnel as well as a new security encryptionprotocol. In recognition that these new requirements 759 cannot befulfilled with VPN tunnel 720, or at least that modification of VPNtunnel 720 in response to the new requirements is not optimal, eitherfrom a security or throughput standpoint, the VPN Manager 708reconfigures VPN agent 704 on Machine A to create a new Machine A toMachine M VPN tunnel 763 using the new requirements. Thus, the old VPNtunnel 720 is “split” as traffic from the sources on Machine A andMachine B will be serviced by two VPN tunnels in the new VPN tunnelinfrastructure.

Machine A provides the desired requirements 759 for the VPN tunnel 763:

PROTOCOL: SYSLOG

ENCRYPTION PROTOCOL: ECC

PORT: 541

SOURCE: 10.1.1.5

TARGET: 9.1.2.20

BANDWIDTH: NO LIMIT BIDIRECTIONAL

FILTER: A (/^app1[a-z]{0,10}$/)

The VPN agent 712 on Machine B reconfigures VPN tunnel 720 so that itonly uses the Machine B requirements:

PROTOCOL: SCP

PORT: 22

SOURCE: 10.1.1.5

TARGET: 9.1.2.20

BANDWIDTH: NO LIMIT

FILTER: B (/^app2[a-z]{0,30}$/)

Again, by only accommodating requested parameters from recognizedmachines, security is increased, so the new VPN parameters 761 for themodified VPN tunnel 720 are different from the parameters 751 for thecombined VPN tunnel 720 shown in FIG. 7B. Similarly, the VPN parameters763 for new created VPN tunnel 757 only reflect the requirements 759 forMachine A.

FIG. 8 is a flow diagram of the event reporting and logging operationsof the VPN Manager. The event and traffic logging allows the VPN Managerto understand which applications are communicating with which otherapplications. It also allows the VPN Manager to understand which cloudsare being interconnected, what data is being communicated. Further,event reporting and logging operations will allow for the detection ofpolicy violations or security breaches by the Security Operations Center(SOC).

In step 801, the VPN Manager waits for events to be reported by the VPNagents. As events are received, step 803, the events are logged, step805. The VPN Manager determines whether the received event(s) trigger arule in step 807. To trigger a rule, the most recently received eventmay need to be correlated with events which have already been logged. Ashas been mentioned previously, one example of a rule is a trafficthreshold rule. If the traffic on a VPN is exceeding or projected toexceed a threshold, the VPN Manager will issue instructions to the VPNagents to split a single VPN tunnel into two tunnels. Another trafficthreshold rule is a minimum traffic rule. If adjacent VPN tunnels havetraffic below a threshold, the VPN Manager may issue instructions to theVPN agents to merge VPN tunnels. Another example of a rule is a securityrelated rule. If there have been security events related to a VPNtunnel, the VPN Manager may issue instructions to the VPN agents tochange the security parameters for the tunnel. For example, detectedintrusion events for one of the machines being serviced by a VPN tunnelhas experienced problematic events which bear further scrutiny. Thus,the VPN Manager may issue instructions to the VPN agent(s) for thattunnel to monitor events from the machine more closely or split the VPNtunnel so that events from the affected machine can be monitored, i.e.all events from the new tunnel are monitored, while allowing events fromother nonaffected machines to have lower intrusion detection overhead.

If the event is a modification request made by a VPN Manager awareapplication, the default rule may be to comply with the request. In thiscase, the VPN Manager will issue instructions to the VPN agent(s)consistent with the modification request. Another rule would be toevaluate whether the modification request is consistent with thesecurity policies in place for the VPN tunnel, and if not, to alert anadministrator for further action.

If a rule has been triggered by the event(s), in step 809, the VPNManager will issue instructions to the VPN agents to tune the VPNtunnel(s) appropriately. As explained above, tuning the VPN tunnel(s)includes modifying the parameters on a VPN tunnel, merging VPN tunnelsor splitting a VPN tunnel into two or more VPN tunnels. In one preferredembodiment, the rule will trigger an alert in a user interface to allowan administrator to confirm and/or modify the instructions to the VPNagents. The process returns to wait for new events in step 801.

FIG. 9 illustrates the process of optimizing traffic flow, merging andsplitting VPNs according to one embodiment of the invention. The processbegins in step 901, with the VPN Manager monitoring the existing VPNtunnels. This step includes monitoring for throughput and the eventsdescribed above in connection with FIG. 8. In one preferred embodiment,the VPN agents established at each tunnel endpoint and subscribingmachine and/or application report the relevant information to the VPNManager, step 903. Any instructions which the VPN Manager needs tocommunicate to the VPN agent are also transmitted in this step. Examplesof instructions which the VPN Manager will communicate to the VPN agentinclude which VPN tunnel to use for traffic from a given application ormachine, which end point (e.g., application) to connect the VPN tunnelto, what filter settings to have on, VPN agent and agent configurationrelated data, and so forth.

Based on the information received, in step 905, a decision is madewhether a change to the existing VPN infrastructure is indicated. Anaffirmative decision can be based on many factors. First, as describedabove, there could be a new administrator or application based requestfor changes to the VPN tunnel settings. The new request could pertain toa new connection for a new application or a new machine or to a changeto an existing VPN tunnel between already subscribing machines. Second,the change could be indicated by the throughput measurements by the VPNagents. VPN tunnels could be initially created by applications in adeployment phase of the application lifecycle, where high bandwidthrequirements exist. Thus, to provide the needed bandwidth, separate VPNtunnels are created. Later, in the production phase of the applicationlifecycle, the bandwidth requirements of the applications are lower, soprovided that the security requirements are compatible betweenapplications, VPN tunnels can be merged. Third, at the end of theapplication lifecycle, when the application is removed, the VPN tunneland VPN agent for that application can be removed or modified to supportonly those applications still resident at the end point. The VPN agentsreport that the VPN tunnels are being underutilized, and therefore, arecandidates for merger with other VPN tunnels. The VPN Manager, having amap of all of the existing VPN tunnels under its control, issues theneeded commands for merger, e.g., an existing set of requirements forthe VPN tunnel to be closed is sent to the first VPN agent controllingthe first VPN tunnel to remain open, a command to alter the VPNcharacteristics of the first VPN tunnel to those new requirements, acommand to forward communications from the second VPN agent currentlycontrolling the second VPN tunnel to be closed instead to the first VPNagent and so forth.

The change could be an indication that a VPN tunnel needs to be splitbecause of new bandwidth or security requirements. Previously merged VPNtunnels are often prime candidates for splitting into multiple tunnels.During the application lifetimes, there made be periods in which thebandwidth or security requirements change, for example, during an updateor in response to an indicated intrusion of one of the cloudapplications, i.e. requiring special security handling. Another reason aVPN tunnel needs to be split is due to new request by additionalmachines or applications. Suppose that in the example above, describedin reference to FIG. 5, that VPN tunnel 511 was adequate to serviceMachine A and Machine B, however, application or administrator requestswere made for VPN service for Machines C and D, and a single VPN tunnelcould not fulfill the bandwidth requirements for all four machines. Oneoption might be to create a new VPN tunnel servicing Machines C and D.However, the VPN Manager might establish that the requirements forMachines A and C are more compatible than Machines A and B, and so itwould be most efficient to have one VPN tunnel service Machines A and Cand a second VPN tunnel service B and D. If no change is indicated, thenthe process returns to monitoring the VPN tunnels, step 901.

In step 907, a determination whether the change can be accomplished withthe existing set of VPN tunnels. In general, it will be more efficient,and the cloud will be less porous to security attacks, the fewer VPNtunnels between the two clouds that are maintained. A comparison of therequested bandwidth, current bandwidth and available bandwidth of thecurrent tunnel is made. A comparison of the existing and requestedsecurity parameters is made to determine the compatibility of thesecurity parameters requested by the respective applications. If theexisting VPN tunnels can be used, including merger of the existing VPNtunnels, the existing VPN agents are issued the desired requirements tomake any needed changes to the VPN tunnels. If the VPN tunnels can beused, it is likely that there are VPN agents already installed in therequesting machines. However, if new VPN agents are needed, e.g., in anembodiment where specialized rather than generic VPN agents are used,the VPN Manager sends them to the machine endpoints in step 911. Theprocess then continues monitoring the existing VPN infrastructure, step901.

On the other hand, if the change requires a new VPN tunnel, the processthen determines whether a VPN agent is already installed in step 913. Ifnot, in step 915, the VPN Manager sends the new VPN agent to theendpoint which needs it. In step 917, the new VPN tunnel is createdthrough the new and/or existing VPN agents. The new VPN tunnel may beconsidered a split of an existing tunnel. The process then returns tostep 901 to monitor the VPN infrastructure for possible changes.

In the preferred embodiments of the invention, a central VPN Manager iscontrolled by a single system or cloud provider. For example, in cloudenvironments, it would be valuable for IaaS and PaaS providers toprovide a VPN capability as enabled by the present invention into thoseenvironments.

A federation model can be used where one VPN Manager is provided by onecloud provider, and the cloud provider uses a model similar to federatedidentity (OAuth, OpenID, etc.) to create a trust model between clientnetworks and other cloud networks. When an application belonging a oneorganization wants a VPN tunnel, it can use a federation typeauthentication with the organization VPN server to have trustestablished with the cloud provider VPN Manager.

One embodiment is illustrated in FIG. 10. An application for a firstorganization is resident on Machine M in one of a first set of clouds1001 and needs a VPN tunnel created to communicate with Machine F in oneof a second set of clouds 1003 belonging to a different organization.VPN tunnels between machines in set of clouds 1001 are managed by VPNManager 1005, while VPN tunnels in set of clouds 1003 are managed by VPNManager 1007.

Then when applications want a VPN tunnel they make a request to theirown VPN provider server, e.g., the application on Machine M contacts VPNManager 1005. The VPN Manager 1005 would communicate with itscounterpart VPN Manager 1007 to set up the new VPN tunnel 1011. Thus,clients would communicate with the other trusted clients using a VPNtunnel to provide an access point and encryption. The VPN tunnel canflow through the central server or the VPN Manager can spawn anadditional lightweight tunnel. Similar to the description above for VPNtunnels within a hybrid cloud environment, the VPN tunnels managedbetween the two cloud environments 1001 and 1003 can be reconfigured,merged and split to accommodate the needs of the applications duringtheir lifecycles.

The above-described subject matter provides many advantages. Inpreferred embodiments, the merging and splitting of VPN tunnels allowsfor network optimizations. The VPN Manager can take into considerationavailable bandwidth, available machine compute, network topology and VPNoverhead when making decisions around location and combination of VPNs.The prior art uses dedicated VPN tunnels to provide security betweencloud environment. By monitoring the throughput on given VPN tunnels,the VPN Manager can suggest the creation of an additional VPN tunnel tosplit VPNs handling a large amount of traffic or suggest mergingunderutilized VPNs terminating at locations within the same cloud.

When integrated into cloud environments, with sufficient privilege, theVPN Manager may automatically deploy a dedicated machine to offload VPNtraffic. If the VPN Manager has the credentials of a cloud administratoravailable, then it can use the credentials to automatically create a VMin the cloud and dedicate it for processing VPN traffic, thus creating anew VPN Manager to share the load. This will help ease the load on theexisting machine running the VPN Manager and also makes the VPN Managermore scalable for the hybrid cloud. All or some VPN agents will thenstart communicating with the new VPN Manager. In another embodiment, theVPN Manager may also offload to a dedicated VPN appliance depending onavailability. If the VPN Manager detects a VPN appliance, it can install(or use an already installed) VPN Manager, then in similar fashion tocloud VM, the VPN Manager can start offloading traffic to the VPNappliance to relieve some of the workload on the existing VPN manager.While invention can be largely autonomic in some preferred embodimentsof the invention, the administrator may manually tune the VPN tunnelsthrough the user interface. In autonomic embodiments of the invention, auser interface can be provided to alert the administrator of actionstaken by the VPN Manager. The administrator can examine the log ofevents detected by the agents and the subsequent actions taken by ordirected to be taken by the VPN Manager to either adjust the autonomicpolicies or to overrule actions taken by the VPN Manager. Theadministrator can install physical VPN appliances and configure the VPNManager to explicitly use those appliances by default.

In alternative embodiments, rather than the agent-based managementdiscussed above, the VPN Manager could leverage cloud APIs or leverageexisting agents (such as Chef client agents) to reconfigure theendpoints of the VPN tunnels. In these embodiments, the actionsdescribed above as taken by the VPN agents are instead taken by othernetwork entities such as the Chef agents or other VPN controllingmechanisms already resident in the cloud infrastructure. When using thecloud APIs, there could be software based networking available in thecloud which could be used to create VPN tunnels for all VMs connected toa software defined network (SDN), instead of deploying agents on eachand every machine.

As discussed above, an application can change the VPN parameters for theVPN tunnel as the lifecycle of the application changes. For example,during an application deployment process, the application may requiredifferent communication bandwidth and security protocols. For example,an SSH protocol over the VPN tunnel may be required during the productinstallation, but not during the product runtime. The application canprovide a new set of requirements for dynamic VPN tunnel reconfigurationto the VPN Manager.

The VPN Manager provides dynamic VPN deployment, management andreconfiguration responsive to detailed and dynamic requirements suppliedby a set of applications or machines within the organizations networks.By allowing the merger and splitting of multiple flexible VPN tunnels,the efficiency and security of a hybrid cloud is improved. Further, anorganization can use the invention to provide VPN tunneling capabilitieswith federation with the cloud environment controlled by partners orother trusted entities. Federation of VPN capability throughestablishment of trust between VPN Managers belonging to differentorganizations allows applications to leverage existing trustrelationships without requiring the application itself to join multipleorganizations.

Embodiments of the invention allow changes to the VPN tunnel topology inresponse to automated deployment and removal of cloud-hosted hardwarefor more efficient management and to offload VPN activity. The choice ofVPN technology responsive to environment changes and requirements of therequesting applications. By leveraging is cloud infrastructure (APIs,automated deployment tools), the VPN Manager can manage VPN tunnels witha minimum of additional infrastructure. Embodiments of the inventionresponsively change the communication based on application lifecycle,such as real-time changing of allowed protocols based onapplication-driven commands. By continuously monitoring the VPN tunnelrequirements provided by administrator or the set of applications,embodiments of the invention provide for dynamic VPN tunnelreconfiguration.

There are many advantages of the invention over the prior art. Theinvention provides dynamic VPN deployment, management andreconfiguration responsive to detailed and dynamic requirements suppliedby the applications. Moreover, multiple VPN Managers can manage VPNs indifferent clouds and through federation of VPN capability throughestablishment of trust between VPN Managers, applications can leveragethe existing trust relationship to request a VPN from a trusted VPNManager from a different cloud.

The combination of multiple flexible VPN tunnels into a single VPNtunnel improves efficiency and security of intercloud communications. Ifneeded, splitting of combined VPNs to meet new demands can also beaccomplished. In embodiments of the invention, the hardware used toprovide the VPN function is automatically deployed and removed for moreefficient management. The VPN technology chosen for creating a giventunnel is responsive to cloud environment and the requirements specifiedby the application. Where specialized VPN agents are used, thespecialized VPN agents are configured to provide the requirementsrequested by the application or machine requesting a VPN tunnel. Thecloud infrastructure itself is flexible, allowing reassignment of tasksbetween machines. This flexibility can be leveraged in the VPNmanagement process (APIs, automated deployment tools) by assigning suchresources dynamically to additional manage VPNs as needed.

The VPN tunnels can be responsively changed to provide for expansion orrestriction of the communication channel based on the applicationlifecycle, as well as real-time changing of the allowed protocols in aVPN tunnel based on application-driven commands. In preferredembodiments of the invention, the VPN agents continuously monitor VPNrequirements provided by administrator or the application, or a set ofapplications, and the actual throughput being demanded by theapplication, for dynamic VPN reconfiguration. As described, the approachherein may be implemented manually or in an automated manner, in wholeor in part.

While a preferred operating environment and use case has been described,the techniques herein may be used in any other operating environment inwhich it is desired to deploy services.

As has been described, the functionality described above may beimplemented as a standalone approach, e.g., one or more software-basedfunctions executed by one or more hardware processors, or it may beavailable as a managed service (including as a web service via aSOAP/XML interface). The particular hardware and software implementationdetails described herein are merely for illustrative purposes are notmeant to limit the scope of the described subject matter.

More generally, computing devices within the context of the disclosedsubject matter are each a data processing system (such as shown in FIG.2) comprising hardware and software, and these entities communicate withone another over a network, such as the Internet, an intranet, anextranet, a private network, or any other communications medium or link.The applications on the data processing system provide native supportfor Web and other known services and protocols including, withoutlimitation, support for HTTP, FTP, SMTP, SOAP, XML, WSDL, UDDI, andWSFL, among others. Information regarding SOAP, WSDL, UDDI and WSFL isavailable from the World Wide Web Consortium (W3C), which is responsiblefor developing and maintaining these standards; further informationregarding HTTP, FTP, SMTP and XML is available from Internet EngineeringTask Force (IETF).

In addition to the cloud-based environment, the techniques describedherein may be implemented in or in conjunction with various server-sidearchitectures including simple n-tier architectures, web portals,federated systems, and the like.

Still more generally, the subject matter described herein can take theform of an entirely hardware embodiment, an entirely software embodimentor an embodiment containing both hardware and software elements. In apreferred embodiment, the trusted platform module function isimplemented in software, which includes but is not limited to firmware,resident software, microcode, and the like. Furthermore, the interfacesand functionality can take the form of a computer program productaccessible from a computer-usable or computer-readable medium providingprogram code for use by or in connection with a computer or anyinstruction execution system. For the purposes of this description, acomputer-usable or computer readable medium can be any apparatus thatcan contain or store the program for use by or in connection with theinstruction execution system, apparatus, or device. The medium can be anelectronic, magnetic, optical, electromagnetic, infrared, or asemiconductor system (or apparatus or device). Examples of acomputer-readable medium include a semiconductor or solid state memory,magnetic tape, a removable computer diskette, a random access memory(RAM), a read-only memory (ROM), a rigid magnetic disk and an opticaldisk. Current examples of optical disks include compact disk-read onlymemory (CD-ROM), compact disk-read/write (CD-R/W) and DVD. Thecomputer-readable medium is a tangible, non-transitory item.

The computer program product may be a product having programinstructions (or program code) to implement one or more of the describedfunctions. Those instructions or code may be stored in a computerreadable storage medium in a data processing system after beingdownloaded over a network from a remote data processing system. Or,those instructions or code may be stored in a computer readable storagemedium in a server data processing system and adapted to be downloadedover a network to a remote data processing system for use in a computerreadable storage medium within the remote system.

In a representative embodiment, the techniques are implemented in aspecial purpose computing platform, preferably in software executed byone or more processors. The software is maintained in one or more datastores or memories associated with the one or more processors, and thesoftware may be implemented as one or more computer programs.Collectively, this special-purpose hardware and software comprises thefunctionality described above.

In the preferred embodiment, the functionality provided herein isimplemented as an adjunct or extension to an existing cloud computedeployment management solution.

While the above describes a particular order of operations performed bycertain embodiments of the invention, it should be understood that suchorder is exemplary, as alternative embodiments may perform theoperations in a different order, combine certain operations, overlapcertain operations, or the like. References in the specification to agiven embodiment indicate that the embodiment described may include aparticular feature, structure, or characteristic, but every embodimentmay not necessarily include the particular feature, structure, orcharacteristic.

Finally, while given components of the system have been describedseparately, one of ordinary skill will appreciate that some of thefunctions may be combined or shared in given instructions, programsequences, code portions, and the like.

Having described our invention, what we now claim is as follows.

The invention claimed is:
 1. A method comprising: in a first virtualprivate network (VPN) agent, managing a first VPN tunnel in a pluralityof VPN tunnels, wherein the first VPN tunnel provides communication fortraffic between a first node in a first cloud and a second node in asecond cloud in a hybrid cloud environment; receiving a request from aVPN manager, the request including a first set of requirements for afirst cloud application for the first VPN tunnel in the plurality of VPNtunnels; creating the first VPN tunnel according to the first set ofrequirements; receiving a modification request from the VPN managercontaining a second set of requirements for a second cloud applicationwherein a second VPN tunnel provides communication for the second cloudapplication; and tuning the first VPN tunnel according to the second setof requirements, wherein the tuning includes merging the second VPNtunnel with the first VPN tunnel, wherein the modification request isbased on a determination that the first and second sets of requirementsare compatible, wherein the first VPN tunnel after merging continues toprovide communication between the first node and the second node.
 2. Themethod as recited in claim 1, further comprising: monitoring for eventsoccurring in the first VPN tunnel; detecting a first event occurring inthe first VPN tunnel; and sending the first event to the VPN manager. 3.The method as recited in claim 1, wherein the first set of requirementsinclude a set of security requirements.
 4. The method as recited inclaim 2 wherein the first event is selected from the group consisting ofdetecting a change in traffic bandwidth in the first VPN tunnel, anetwork topology change for the first cloud and a modification requestfrom the first or second cloud application for a change in securityrequirements for a VPN tunnel.
 5. The method as recited in claim 1,further comprising: receiving a second modification request from the VPNmanager, the second modification request including a third set ofrequirements for the first VPN tunnel; modifying the first VPN tunnelaccording to the third set of requirements, wherein the first set ofrequirements is for traffic from the first cloud application and thesecond set of requirements is for traffic from the second cloudapplication; tuning the first VPN tunnel according to the third set ofrequirements, wherein the tuning comprises splitting the first VPNtunnel into the first VPN tunnel to accommodate traffic from the firstcloud application and a third VPN tunnel to accommodate traffic from thesecond cloud application, wherein the first and the third VPN tunnelsprovide communication between the first and second node and wherein thesecond modification request is based on a determination that the firstand third sets of requirements are incompatible.
 6. The method asrecited in claim 1, further comprising: receiving a selected VPN agentfrom the VPN manager; installing the selected VPN agent in a firstsystem; and wherein the VPN agent is selected based on the first set ofrequirements.
 7. Apparatus, comprising: a processor; computer memoryholding computer program instructions executed by the processor tomanage a first virtual private network (VPN) tunnel of a plurality ofVPN tunnels, wherein the first VPN tunnel provides communication fortraffic between a first node in a first cloud and a second node in asecond cloud in a hybrid cloud environment, the computer programinstructions comprising: program code, which causes the processor toreceive a first request from a VPN manager, the request including afirst set of requirements for the first VPN tunnel in the plurality ofVPN tunnels; program code, which causes the processor to create thefirst VPN tunnel according to the first set of requirements; programcode, which causes the processor to receive a second request from theVPN manager, the second request including a second set of requirementsfor a second VPN tunnel in the plurality of VPN tunnels; program code,which causes the processor to create the second VPN tunnel according tothe second set of requirements; program code, which causes the processorto receive a merge request to merge the second VPN tunnel into the firstVPN tunnel, wherein the merge request is based on a determination thatthe first and second set of requirements are compatible; program code,which causes the processor to merge the second VPN tunnel into the firstVPN tunnel; and program code, which causes the processor to tune thefirst VPN tunnel according to the second set of requirements after themerge of the second and first VPN tunnels, wherein the first VPN tunnelafter merging continues to provide communication between the first nodeand the second node.
 8. The apparatus as recited in claim 7, furthercomprising: program code which causes the processor to monitor events inthe first VPN tunnel; program code which causes the processor to receiverequests from applications using the first VPN tunnel; and program codewhich causes the processor to communicate requests and informationconcerning the management of the first VPN tunnel to the VPN manager. 9.The apparatus as recited in claim 7, wherein the first set ofrequirements include a first set of security requirements and the secondset of requirements include a second set of security requirements andthe apparatus further comprises program code which causes the processorto determine whether the first and the second sets of securityrequirements are compatible prior to merging the first VPN tunnel andthe second VPN tunnel.
 10. The apparatus as recited in claim 8, whereinthe event is a detected change in traffic bandwidth in the first VPNtunnel detected by the VPN agent.
 11. The apparatus as recited in claim8, further comprising: a set of specialized VPN agents; and program codewhich causes the processor to select a selected VPN agent among thespecialized VPN agents according to the first set of requirements. 12.The apparatus as recited in claim 8, wherein the event is detecting anapplication lifecycle change of the first cloud application.
 13. Theapparatus as recited in claim 10, wherein the program code operative tomonitor events in the first VPN tunnel further comprises: program codewhich causes the processor to determine whether a lower threshold oftraffic bandwidth has been crossed in the first VPN tunnel; program codewhich causes the processor to determine whether an upper threshold oftraffic bandwidth has been crossed in the first VPN tunnel; and programcode, responsive to a determination that a threshold has been crossedwhich causes the processor to send a message to the VPN manager.
 14. Theapparatus as recited in claim 8, further comprising: program code whichcauses the processor to receive a split request from the VPN manager tosplit the first VPN tunnel into a third VPN tunnel and the first VPNtunnel, wherein the split request is based on a determination that thefirst and a third sets of requirements are incompatible, the first setof requirements is for a first cloud application and the third set ofrequirements is for a second cloud application; and program code whichcauses the processor to split the first tunnel into the first VPN tunneland the third VPN tunnel, wherein both the first and the third VPNtunnel provide communication between the first node and the second node.15. A computer program product in a non-transitory computer readablemedium for use in a data processing system, the computer program productholding computer program instructions executed by the processor tomanage a first virtual private network (VPN) tunnel of a plurality ofVPN tunnels, wherein the first VPN tunnel provides communication betweena first node in a first cloud and second node in a second cloud in ahybrid cloud environment, the computer program instructions comprising:program code, which causes the processor to receive a first request froma VPN manager, the first request including a first set of requirementsfor a first VPN tunnel in the plurality of VPN tunnels; program code,which causes the processor to create the first VPN tunnel according tothe first set of requirements; program code, which causes the processorto receive a second request from the VPN manager, the second requestincluding a second set of requirements for a VPN tunnel in the pluralityof VPN tunnels; program code, which causes the processor to modify thefirst VPN tunnel according to the second set of requirements, whereinthe first set of requirements is for traffic from a first cloudapplication and the second set of requirements is for traffic from asecond cloud application and the first VPN tunnel carries traffic fromfirst and second cloud applications; program code, which causes theprocessor to receive a split request for the first VPN tunnel, whereinthe split request is based on a determination that the first and secondset of requirements are incompatible; and program code, which causes theprocessor to split the first VPN tunnel into the first VPN tunnel and asecond VPN tunnel wherein the first and the second VPN tunnel providecommunication between the first and second nodes, wherein the VPN agenttunes the first VPN tunnel according to the first set of requirementsfor traffic for the first cloud application and tunes the second VPNtunnel according to the second set of requirements for traffic for thesecond cloud application.
 16. The computer program product as recited inclaim 15, further comprising: program code which causes the processor tomonitor events in the first VPN tunnel; program code which causes theprocessor to receive requests from applications using the first VPNtunnel; and program code which causes the processor to communicaterequests and information concerning the management of the first VPNtunnel to the VPN manager.
 17. The computer program product as recitedin claim 15, wherein a change in security requirements for the firstcloud application causes the split request to be issued for the firstVPN tunnel.
 18. The computer program product as recited in claim 15,further comprising program code which causes the processor to remove thefirst VPN tunnel at an end of a first cloud application lifecycle.
 19. Amethod comprising: in a first virtual private network (VPN) agent,managing a first VPN tunnel of a plurality of VPN tunnels, wherein thefirst VPN tunnel provides communication between a first node in a firstcloud and a second node in a second cloud in a hybrid cloud environment;receiving a first request from a VPN manager, the first requestincluding a first set of requirements for a first VPN tunnel in theplurality of VPN tunnels; creating the first VPN tunnel according to thefirst set of requirements; receiving a second request from the VPNmanager, the second request including a second set of requirements for aVPN tunnel in the plurality of VPN tunnels; modifying the first VPNtunnel according to the second set of requirements, wherein the firstset of requirements is for traffic from a first cloud application andthe second set of requirements is for traffic from a second cloudapplication and the first VPN tunnel carries traffic from first andsecond cloud applications; splitting the first VPN tunnel based on adetermination that the first and second set of requirements areincompatible, wherein the first VPN tunnel is split into the first VPNtunnel and a second VPN tunnel wherein the first and the second VPNtunnel provide communication between the first and second nodes, whereinthe VPN agent tunes the first VPN tunnel according to the first set ofrequirements for traffic for the first cloud application and tunes thesecond VPN tunnel according to the second set of requirements fortraffic for the second cloud application.
 20. A computer program productin a non-transitory computer readable medium for use in a dataprocessing system, the computer program instructions comprising:computer memory holding computer program instructions executed by theprocessor to manage a first virtual private network (VPN) tunnel of aplurality of VPN tunnels, wherein the first VPN tunnel providescommunication for traffic between a first node in a first cloud and asecond node in a second cloud in a hybrid cloud environment, thecomputer program instructions comprising: program code which causes theprocessor to receive a first request from a VPN manager, the requestincluding a first set of requirements for the first VPN tunnel in theplurality of VPN tunnels; program code which causes the processor tocreate the first VPN tunnel according to the first set of requirements;program code which causes the processor to receive a second request fromthe VPN manager, the second request including a second set ofrequirements for a second VPN tunnel in the plurality of VPN tunnels;program code which causes the processor to create the second VPN tunnelaccording to the second set of requirements; program code which causesthe processor to receive a merge request to merge the second VPN tunnelinto the first VPN tunnel, wherein the merge request is based on adetermination that the first and second set of requirements arecompatible; program code which causes the processor to merge the secondVPN tunnel into the first VPN tunnel; and program code which causes theprocessor to tune the first VPN tunnel according to the second set ofrequirements after the merge of the second and first VPN tunnels,wherein the first VPN tunnel after merging continues to providecommunication between the first node and the second node.